Data encryption laws?

Hello.

I am making a Xojo application for sale which does file encryption. I am unclear on what’s required to be within the law. As I understand each country may have their own requirements for local and exports. I’d like to hear from anyone who knows about the varying country requirements regarding local or exported software which performs data encryption.

My Xojo application won’t contain the encryption algorithms. I will be using openSSL. According to what I’ve read openSSL does have a U.S. ECCN number which is 5D002. Since my application is basically a wrapper for openSSL I am wondering if I am supposed to use this number citing openSSL somewhere in my application and if that makes me legal or do I have to file with the different governments for my application?

I have also read online that other requirements may be necessary such as providing law enforcement with a backdoor password or the actual encrypting password should they request it.

Since products like Carbonite, Xojo with it’s encrypted database, and OS X with openSSL and zip do data encryption as part of their functions I’m wondering how they are legally doing this?

Does they provide back door passwords or the encrypting passwords to the Police if they request it?
Did they file for a ENC certificate or some other governmental paperwork?

I see someone here has an encrypting Mac app for sale called ZipEnc on Apple’s app store that does zip encryption on files.
I wonder if he is investigated by the U.S. government or other governments will he have to pay a fine or face criminal charges?
Did he file with the varying governments for the right to sell encrypting software or did he cite the encrypting technology’s governmental paperwork?

Right now I don’t want to hire a software lawyer. My experience with different lawyers in the past is that they charge a lot of money for inaccurate information. or information that could of been found online from other experienced users for free. Later on if I do end up hiring a software lawyer I’d like to be armed with solid information before I pay, pay, pay.

In the meantime I’m still reading about this on the internet and have found some good sources.

http://www.bis.doc.gov/index.php/policy-guidance/encryption
http://www.bis.doc.gov/index.php/policy-guidance/encryption/classification#One
http://www.apache.org/dev/crypto.html

Thanks for your help.

to make sure you don’t end up in trouble get pointers from people here but get real legal advice at some point

You’re not likely to run into requests to decrypt your customers data. If you ever do, that’s a good time to get a lawyer involved. Unless your customer is going to detonate a nuke, you’re probably on the winning side of the whole PR battle if you sit in the hole for a weekend while your lawyer fends off their request. If a nuke might be involved, well, you’re gonna get tortured, so decide what your limbs, eyelids, etc. are worth to you.

I was once questioned by a French defense official over “importing” a database with strong encryption from Denmark to a Paris trade show. I told the guy I just had (really lame) marketing material, and that the whole database demo was running on Danish server. I also told him that patriotic French customers were responsible for obtaining any necessary munitions import licenses. It was all I could do to not make a Maginot Line crack.

In short, and more seriously… They tried making math illegal in the 90s. They failed. If you’re not intentionally selling to criminals, you have nothing special to worry about with deploying encryption.

As long as your application does not contain encryption, you are probably safe. The same way browsers which use SSL are not considered encryption tools. But this being arguable, you probably still need some legal advice let alone for the writing of disclaimers you may need in your user license, declining responsibility for any bad use on the part of user.

My 2 cents…

I guess at some point I’ll have to contact a lawyer who knows about this kind of stuff.

What does Xojo do for it’s encryption database ability to be legal?

Did Xojo the company have file anything with governments or list anything in their licensing?

Oh no, my app has encrypted database files (SHA-512), in order to provide security for the data in each database.

Now I’m worried that it may actually be illegal in the UK to provide software with encrypted database files :frowning:

[quote=65111:@Richard Summers]Oh no, my app has encrypted database files (SHA-512), in order to provide security for the data in each database.

Now I’m worried that it may actually be illegal in the UK to provide software with encrypted database files :([/quote]

Don’t loose any sleep over it! Under EU data protection directives you are required to take all reasonable means to secure private data and that includes encryption! In fact you could be penalized for failing to encrypt private data, should it fall into the wrong hands. And in some cases when dealing with medical data, encryption is mandatory. So the provision of encrypted databases to customers in the EU/EEA is fine.

Thank you.

Does anyone happen to know if a SHA-512 encrypted database is legal in the UK though?

SHA-512 isn’t encryption, it is hashing. And a hashed database is useless. So I’m not sure what you’re asking.

Well as Thom points out SHA-512 is a hash and not encryption and furthermore more an EU directive always trumps national law.

I don’t think an EU directive would trump the laws of a non-EU country…

The OP was asking about the UK, not a non EU country